Innovecture Innsight

Identity Management Solutions in the Banking / Financial Services Industry

Banking Authentication
Online banking has seen a steady growth in the customer base due to the convenience it offers in various servicing capabilities. ING launched the Direct banking wave in the US and its success paved the way for many other institutions to launch the online / direct banking capabilities. The convenience of online banking, attractive rates offering due to less overhead and various new features like real time account verification/transfer has made online banking popular across the world. In the developing countries due to the wide adoption of mobile phones the banks are able to reach the "unbanked" population to gain market share.

Needless to say that the solutions/mechanisms for ensuring that the online banking / financial services transactions are carried out in a secure way, preventing fraud, protecting customer data and assets have become complex. Security experts, product vendors and regulators are facing new challenges to stay ahead of the cyber threats and vulnerabilities.
The six different aspects of security in an online world are: Authentication, Authorization, Confidentiality, Access Control, Integrity, and Non-repudiation.

In this insight, we will discuss about the various trends and solutions available today in the Authentication space.
  1. Multifactor authentication: In addition to the basic authentication (userid/password), having an additional layer of authentication has become a regulation in the banking industry. Multifactor authentication is achieved by showing an image or a phrase and by asking a secret question. The customer selects the secret question and the answer at the time of enrollment along with the image/phrase. The image/phrase is displayed before the password page so that the customer can verify the authenticity of the site to prevent phishing.
  2. Device fingerprinting: Most of the financial institutions are pushing for capturing the fraud real time than after the fact. Device fingerprinting which collects the data about the device accessing the website is getting adopted rapidly. Companies like Threatmetrics, 41st parameter, RSA deal in this space. If the device fingerprint has changed (change in computer/OS or H/W) then the user is asked either a secret question or an out of wallet question.
  3. Out of wallet authentication: The customer is asked about information which only the customer should know. Example: selecting a previous postal address, selecting the mortgage company etc. The information is verified from credit bureaus real time.
  4. Out of band authentication: When a customer is doing a transaction which requires additional authentication (e.g transferring a high amount ) a PIN is sent to you by a different channel, like mobile phone and you are asked to enter the pin on the web.
  5. Adaptive authentication: There is a customer profile created and based on your relationship with the bank, where you are logging from and what type of transaction you are doing a real time risk score is calculated and compared against a risk threshold. Based on the comparison the customer is asked out of wallet questions or approved or denied.
  6. OFAC check: The customer name is checked against the "hotlist" to ensure that the transaction is not carried with a terrorist organization.
Other than this there were attempts made to implement Federated identity management. Liberty alliance was formed to provide solution and roadmap for Federated identity management. The adoption of Federated identity management across organizations did not take off due to various complexities and costs involved. However One way security assertions transfer using SAML is happening between two different units of the same organization (credit card and bank).